Asset Inventory and GDPR compliance

Updated: Apr 13, 2020

A problem that for companies, especially fast-changing ones, is “rogue” assets in their road to compliance to GDPR.

Because of the quick expansion of businesses, certain assets which include servers, databases and applications which are often forgotten or accidentally included without asking permission from the people in charge/ultimately responsible for them.

The major cause of this is company growth. Growth and branching out fast can mean assets becoming neglected, or not properly managed by the organisation. Not knowing what assets you have or where data is in the organisation could get you in trouble with GDPR.

So how can we solve this problem?

Business Location Mapping

A solid starting point is to go to the ‘root’ – business applications.

These applications often collect data that will be subjected to GDPR.

One good way to handle this is having an application inventory of the following:

  1. Application Vendor Name

  2. Application Name

  3. Checking of Applications containing personal data

  4. Personal Data Categories Processed within Application

  5. Implemented Security Measures

  6. Hosting Provider

  7. Location of the Data Processing

Eventually, you can create a flow chart to vividly demonstrate the data flows within the landscape of your business. This will provide a comprehensive perspective for your company which can help track personal data and can give you internal transparency.

Database Landscape Mapping

Collecting all the databases will be done the same way as the first one and this information can be of good use

  1. Database Server Name

  2. Database Type Running on the Server

  3. Database Instances Running on the Server

These will be used to track the data physically and provide an outlook regarding the servers that will require patches. The database instance will be useful in mapping applications from the previous exercises and identifying their corresponding databases.

Governing your IT

Keeping your company in check will require policies to attain order within the business environment. One good example is a change request policy to ensure that all the changes that will be done will require approval from the right people preventing rogue applications from ever occurring. Another one is by having a change management policy which will aid in notifying when there will be changes in the production environment to ensure that application list, database list, application, and database landscapes will be changed accordingly.

Doing these following steps will help you monitor the work on your internal programs to prevent rogue assets from ever occurring and preventing your business from getting in trouble with GDPR.